Overview

overview

10

Static

static

8d34337c1b...7e.dll

windows7_x64

10

8d34337c1b...7e.dll

windows10-2004_x64

10

Analysis

  • max time kernel
    94s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 03:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d34337c1b7f3fa479f4ffbd5de750e59f56d35961481e3331b92a60c8669e7e.dll

  • Size

    793KB

  • MD5

    358ecfffc983f647648eaa9e7c7b146c

  • SHA1

    efa46704790e370b0c4a1d313120494bffca3571

  • SHA256

    8d34337c1b7f3fa479f4ffbd5de750e59f56d35961481e3331b92a60c8669e7e

  • SHA512

    b55a8c065b5a87c88bd000d0e68cafd216621c0e297e49975fa6c5612e5dd4e8e8381a800ff0bc89278211a68f0643a00c3f533114dfe951596933a25c4af8ad

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 28 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d34337c1b7f3fa479f4ffbd5de750e59f56d35961481e3331b92a60c8669e7e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4960
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\8d34337c1b7f3fa479f4ffbd5de750e59f56d35961481e3331b92a60c8669e7e.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2992
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1312
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 476
          4⤵
          • Program crash
          PID:4432
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1128
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3824
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3824 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4380
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1312 -ip 1312
    1⤵
      PID:3104

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      4b5f63131c2ad19a1b25b9c790cb101f

      SHA1

      23ffbecbbc2c90699e632a1bb789f5e6c6975fbe

      SHA256

      f712507488d39ee6f3913255fa4e3f64b7f8d7be0c920c02546e3647f87603da

      SHA512

      dc1d4c9b5157e79230fa05b1bde5e76f1ab2bdb08883ec74cccedc3ef88b1dff05fe91b36ab72086be6899d70fa9056d7c19fa0f285578b7cfa141f9e2cb6240

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      6dbf6da0f1af51e1b7a7b73835d28a6c

      SHA1

      89c89aa76cfce6240fe1d5a9bb08db5c84c23445

      SHA256

      ec67fcdc34a38b975e8b2e660dd41e5ef9860f8018ae9a7020eb2fc858450900

      SHA512

      378f0e756cdea8d2d0a664118a28ad5c931469102792f47807e4519614acae3d689ef39aab3b59486079def984dbda527554e36255785ff842851f7e59307d8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~TM14E0.tmp
      Filesize

      1.6MB

      MD5

      4f3387277ccbd6d1f21ac5c07fe4ca68

      SHA1

      e16506f662dc92023bf82def1d621497c8ab5890

      SHA256

      767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

      SHA512

      9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

      Download Submit

    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Windows\SysWOW64\rundll32Srv.exe
      Filesize

      55KB

      MD5

      ff5e1f27193ce51eec318714ef038bef

      SHA1

      b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

      SHA256

      fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

      SHA512

      c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

      Download Submit

    • C:\Windows\SysWOW64\rundll32mgr.exe
      Filesize

      106KB

      MD5

      7657fcb7d772448a6d8504e4b20168b8

      SHA1

      84c7201f7e59cb416280fd69a2e7f2e349ec8242

      SHA256

      54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

      SHA512

      786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

      Download Submit

    • C:\Windows\SysWOW64\rundll32mgr.exe
      Filesize

      106KB

      MD5

      7657fcb7d772448a6d8504e4b20168b8

      SHA1

      84c7201f7e59cb416280fd69a2e7f2e349ec8242

      SHA256

      54bc950d46a0d1aa72048a17c8275743209e6c17bdacfc4cb9601c9ce3ec9a71

      SHA512

      786addd2a793bd4123625b22dc717d193246442ac97f1c3f4a763ec794b48e68051cd41097c0e9f7367e6914534f36eafccb109ab03dc793d68bf1522e7884e2

      Download Submit

    • memory/1128-138-0x0000000000000000-mapping.dmp

      Download

    • memory/1128-143-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1308-135-0x0000000000000000-mapping.dmp

      Download

    • memory/1308-142-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1312-144-0x0000000077B70000-0x0000000077D13000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1312-145-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1312-146-0x00000000005B0000-0x00000000005DA000-memory.dmp

      Filesize

      168KB

      Download

    • memory/1312-131-0x0000000000000000-mapping.dmp

      Download

    • memory/2992-130-0x0000000000000000-mapping.dmp

      Download

    • memory/2992-133-0x0000000010000000-0x00000000100D1000-memory.dmp

      Filesize

      836KB

      Download